8 years of Android: malware, malicious apps, and how to stay safe

At eight years old, Android is hugely popular. Both with users and attackers

Happy Birthday Android! It has been eight years since the Android project was officially released and introduced to the public – on September 23rd 2008 to be exact. In that short time, Google’s platform has rocked the mobile universe.

cyber aggressors are on a never-ending quest for yet unseen vulnerabilities to exploitInstead they’re coming up with new techniques to attack an increasing number of victims, on a never-ending quest for yet unseen vulnerabilities to exploit. A great example of this surfaced just a few weeks ago at the DEF CON 24 Hacking conference.

White hat security researchers revealed they had found four Android vulnerabilities, collectively naming them QuadRooter. According to their report, any of the four can be exploited by cybercriminals, providing them with access to smartphones and tablets equipped with Qualcomm chipsets, which adds up to around 900 million Android devices.

On top of that, cybercriminals are trying to misuse this situation, luring users into a trap by offering them fake apps promising to fix the security glitch. Unfortunately, that is not what those apps actually do. On the contrary, these programs serve users ads or just make them pay money for nothing. But this kind of deception is nothing new.

Despite the Google Bouncer and human review that work to block malicious content, several fake apps mimicking the popular game Pokémon GO appeared on Google Play. Amid the media-induced hype around the game, most of the copycat apps were serving users scareware, ads and surveys. One of them even froze the target devices and forced users to restart their smartphone by removing the battery.

Social engineering and phishing is also not uncommon when targeting Android users. At the beginning of the year, a fake app on the official market posing as Instagram offered potential downloaders a route to gain followers. However it was actually harvesting their social media account credentials in order to sell them.

Looking at some statistical data from earlier this year, the attackers were able to push over 340 malicious porn clickers into Google Play in just 7 months (between August 2015 and February 2016), with the average number of downloads reaching as high as 3,600 per fake app. These figures may actually be much lower than the true picture given that there are 1.5 million apps on the official app store.

What all these cases have in common is the fact that cybercriminals are trying to copy popular apps in order to attract as many victims as possible. If the malware is uncovered, they’ll often just make a few changes, repack the app and try their luck again. With this technique they are able to repeatedly infect large numbers of users with minimal effort invested into redesigning the malicious code.

The situation is worse at various unofficial markets, where even nastier malware is to be found. Very popular amongst PC-targeting cybercriminals, ransomware has already made its way to mobile platforms and ESET has seen both main types – lock-screen as well as crypto-ransomware.

So what’s the take through eight years of the Android story? The larger the platform and its user base gets, the more it’s targeted by cybercriminals. Thus, hoping for the best and letting its creators keep it secure isn’t enough. Instead, users should go the extra mile and follow a few basic principles to avoid unnecessary trouble:

First of all, keep your devices up to date, ideally set them to patch and update automatically, so that you stay protected even if you’re not among the most security savvy users.

If possible, stick with Google Play or other reputable app stores. These markets might not be completely free from malicious apps, but you have a fair chance of avoiding them.

Prior to installing any app, check its ratings and reviews. Focus on the negative ones, as they often come from legitimate users, while positive feedback is often crafted by the attackers.

Focus on the permissions requested by the app. If they seem inadequate for the app’s functions, avoid downloading the app.